Initially I thought I saw your point, but I was wrong. You don't seem
to be making any sense.
On Sun, Jul 02, 2000 at 10:17:23PM -0400, Adam McKenna wrote:
[this sentence originally came after the next quoted block]
> If he can find a security hole that allows him to read files
> that don't belong to him, he now has the entire list of passwords.
Make the list readable only by root. Now a local user effectively
needs root access to read the APOP secrets. Once that local user has
rooted the box, I don't see why it matters that the secrets were
cleartext.
> That was entirely my point. IMO the "security cost" of saving cleartext
> passwords on the server is not worth the "security gain" of having POP3
> passwords encrypted when the user checks his mail. If someone is sniffing
> pop3 passwords then he has the ability to (most likely) only obtain a small
> number of passwords that way, as opposed to the attacker who has an account
> on the server.
So you don't care if anyone with network access has "a small number of
passwords"? Why is one user password better than another? If there
are local root vulnerabilities present on the system, any single user
account should be good enough to exploit them. Allowing someone to
sniff any number of passwords sounds like a Bad Thing(tm).
I have yet to work in an environment where it is harder to run a
packet sniffer than it is to find a local root vulnerability.
> If you're concerned about email security, APOP is not worth it. Go with SSL
> or another security model (like having virtual POP3 accounts that aren't UNIX
> users).
I think the point you are missing is that APOP effectively creates
virtual POP3 accounts with the same usernames as existing users. APOP
secrets are good for one thing and one thing only: accessing the POP
server. Once your local user has rooted the box to obtain all of the
APOP secrets, are you really concerned that they might subsequently
use those secrets to access user e-mail through the POP server?
APOP has the significant advantage that the string which goes over the
wire cannot be replayed in the future, while virtual POP3 accounts
have static passwords. APOP is not vulnerable to sniffing (*), but
POP3+virtual accounts is.
(*) This is wrt granting unauthorized access to the system. SMTP
isn't encrypted, so being able to sniff the contents of the e-mail as
it comes from the POP3 server isn't very exciting.
Yes, SSL covers all of these bases and then some, but the existance of
SSL doesn't mean that APOP is useless. Since there is no real
encryption involved (just one hash on each side), APOP will use far
fewer system resources. Combine that with the fact that SMTP is also
unencrypted, and a strong case can be made that POP3+SSL is major
overkill in a lot of situations.
Brian
PS Somewhere else in this thread someone mentioned that the only APOP
client they were aware of is Eudora. FWIW, fetchmail also supports
APOP.
